feat: update ownership required decorator

basedosdados · Apr 6, 2024 · 212fc9f · 212fc9f
1 parent 8750bed
commit 212fc9f
Showing 1 changed file with 7 additions and 5 deletions.
diff --git a/bd_api/custom/graphql_jwt.py b/bd_api/custom/graphql_jwt.py
@@ -42,11 +42,12 @@ def wrapper(*args, **kwargs):
 
 
 def ownership_required(f, exc=exceptions.PermissionDenied):
-    """Custom decorator to limit graphql account mutations
+    """Decorator to limit graphql queries and mutations
 
-    - Superusers are allowed to edit accounts
-    - Anonymous users are allowed to create accounts
-    - Authenticated users are allowed to edit their own account
+    - Super users are allowed to edit all resources
+    - Staff users are allowed to edit all resources
+    - Anonymous users are allowed to create resources
+    - Authenticated users are allowed to edit their own resources
 
     References:
     - https://django-graphql-jwt.domake.io/decorators.html
@@ -63,6 +64,8 @@ def get_uid(context, exp=r"id:\s[\"]?(\d+)[\"]?"):
     @wraps(f)
     @context(f)
     def wrapper(context, *args, **kwargs):
+        if context.user.is_staff:
+            return f(*args, **kwargs)
         if context.user.is_superuser:
             return f(*args, **kwargs)
         uid = get_uid(context)
@@ -72,7 +75,6 @@ def wrapper(context, *args, **kwargs):
         if context.user.is_authenticated:
             if context.user.id == uid[0]:
                 return f(*args, **kwargs)
-
         raise exc
 
     return wrapper